When designing a new and simplified signup page I got into an argument with a colleague about the necessity of the "repeat password" field.

We designed the signup process in such a way that the user will be logged in automatically after completing the email verification process. So, at least initially there will be no need for the user to enter their password. Therefore the user will only 'verify' the password when logging in the second time in case we omit the "repeat password" field.

We do have a "recover password" option so in the worst case the user could go through that process in case they mis-typed the password when signing up. But then again, how often do you mis-type your password?

Passwords are evil! Seriously, this repeat password rubbish is slowly dying out in the sites that have better signup and signin interaction designs. Try creating a new account on librarything.com for instance.
–
StephenAug 18 '10 at 0:23

4

openid is nice for home users, but if your site is aimed at larger corporates then a lot will have openid providers like yahoo blocked, possibly even myopenid.
–
Chris SAug 22 '10 at 22:04

4

Twitter did great by me- their "don't need to retype your password" also includes a "don't tell you that you can't include spaces in your password" feature that caused me to create a password when I signed up that could not be accepted by their password page but they didn't tell me that at the time. Only after going through arduous password recovery did I find a page that finally told me my previous password was unacceptable...
–
glenatronOct 13 '10 at 21:57

3

Typing a password incorrectly is incredibly rare, IF you're reusing the same password across multiple sites, because you've already typed it a thousand times or more. Users who follow better practice, by having a unique password for each site, are much more likely to mistype as they don't have the muscle memory trained.
–
BevanFeb 28 '11 at 19:05

14 Answers
14

I'm no UI expert but I think in many cases it is unnecessary. Certainly in my own experience it is rare for me to enter a password incorrectly. A better solution is to not have a password at all. Use one of the growing number of authentication providers (e.g., OpenId, Google, Facebook, Twitter, etc). Why does the user need another password for your app or site?

The technical users of your app will use a password generator and/or storage mechanism. The non-technical users will use one of the favourite throwaway passwords that they use for many different sites/apps. Better to just integrate with an authentication system they already use. There may also be other knock on benefits for your application such as integration into Google Apps if you use Google's auth.

If you do choose to require the user to provide a new password to your application then at least don't clear the password field on form entry error. Nothing is more infuriating than having a password field get cleared because you make an error in some other part of the form. You fix the error resubmit and then there is an error again because the password is missing. This drives me nuts. If you are concerned about echoing the user's password back in the HTML, don't. There are many other options. Encrypt it in the form, remember it in session state, use a dumby password in the HTML. Whatever, just don't force the user to enter it again!

Just OpenID!! Do something like stackoverflow. provide buttons for simple login using OpenIDs.
–
Morteza M.Aug 18 '10 at 18:35

1

I would also add third party apps as authentication providers. But please consider: Nobody (statistically speaking) has an OpenID and knows of it. Our webservice has several hundreds of thousands of users and less than 5% of all logins are openID logins.
–
OliverJan 6 '13 at 13:15

It's not a requirement, especially if you have a way to reset it. I would bet that a lot of people use cut and paste on that anyway. I tend to be of the mindset that signing up for anything should be as easy as possible. JMHO.

I've been saved a couple times on the typos. I'm sure the reason it's there is the first internet company that required a password did not have two fields, but only had one field. 80 percent of their support calls where how to change a password. So they added a second field and created an automated way to retrieve and change the password.
–
Chuck ConwayAug 17 '10 at 16:04

3

You cannot cut to the clipboard from a password field in the browsers I've used.
–
mskfisherAug 17 '10 at 17:11

The question boils down to "what's the cost of a mistyped password". With some systems that cost is high, and that's why they ask you to retype. For example if you are setting up an account on a (non-free) ISP then being unable to access your account probably involves going through a whole load of identify verification steps with tech support.

With a lot of free online systems the cost of a password mistype is low. If you mistyped your Twitter password the worst that can happen is that you have to create an account a second time. Likewise if you mistype it in Facebook, and they've got your email, you can request a password reset, which is why they ask for your email twice and not your password.

As most systems become the second type, rather than the first, password repeats are going to get rarer.

I agree with the argument ‘cost of a mistake’. It's better to prevent mistakes from happening than to offer ways to fix them. In an encryption desktop app, the cost of a typo would be very high (bye bye data), so having to enter it twice is a small fee to pay.
–
Peter FringsMar 1 '11 at 17:47

while creating a password protected archive file using winrar, there is one option "show password". If you check that option, you no need to retype password.
Because when password is not visible its a high probability that user can make a mistake.
and he will end up with a wrong password.

Yes, sometimes. Why? Because sometimes you don't verify a user's details when they sign up, meaning that if they forget their password, it's more difficult to allow them access again.

Reddit and Yahoo don't verify email addresses (at all), so it's more important that the user doesn't forget their password. This is why they have two password boxes.

Twitter and Facebook don't give users full access if they haven't verified their email address. Since they want their users to be verified, ideally, it's more important to get their contact details correct than their password.

I've been moving away from masked password fields. If the user sees what they're writing, they're better able to remember it (visual enforcement), they can see if there's typos, there's no need to re-type it, and my personal opinion is that it's less stressful on the user.

But wouldn't this prevent user from signing up if their computers are not secluded?
–
SrulyAug 17 '10 at 15:28

If a user signed up for your site from any of the computers at my place of employment, we would have their password because all of the plain text gets recorded.
–
LoganGoesPlacesAug 17 '10 at 15:47

@LoganGoesPlaces the same would happen regardless. The only way to prevent it is by using ssl.
–
Chuck ConwayAug 17 '10 at 16:07

2

@LoganGoesPlaces - how do you record it? By reading the values from the form? By capturing keystrokes? Both of those will read values in password fields as well.
–
Charles BoyungAug 17 '10 at 18:32

5

I personally prefer having the password masked and provide a checkbox that allows the user to see the password. Of course this all depends on the applications and the usage scenarios. For example think of an e-mail system like Gmail. There is a possibility that a student is presenting a presentation on a professors laptop and needs to get his/her slides that were e-mailed to himself/herself. This is a case where the individual would want the password field to be masked, because everyone could see the password on the projector otherwise.
–
Waleed Al-BalooshiAug 17 '10 at 20:25

The point of asking a user to type their password twice is to ensure that there are no accidental spelling errors in their password. If you skip this step and they did spell something wrong, they would have to go through a whole password recovery/password change process, which can take a while depending on security requirements/user abilities.

I personally feel that just one user having to go through password recovery because of an extra character/missing character/etc is one too many. Especially when retyping the password is such an easy step. Of course some people will copy and paste the first into the second, but that is their fault. I did my best to help the user avoid that issue.

I know where you are coming from but I really think I have done this before. I can't put my finger on it. Perhaps the form was a standard input field with custom character masking?
–
LoganGoesPlacesAug 17 '10 at 18:04

I feel that the one person who made a typo and has to go through the password recovery process should not cause thousands of other users to make an unnecessary step.
–
idophirAug 17 '10 at 19:30

If only it were just one person. When I was trapped on a helpdesk, the majority of calls were for password related issues. So maybe the whole system is broken anyway?
–
LoganGoesPlacesAug 17 '10 at 21:16

As others have said: If you aren't going to be sending the password back to the user or make recovery very easy, than having a double password can be an effective way to avoid user-error (typos specifically). I have fallen prey to typos on several occasions; I think with requirements for capital letters the number of typos goes up, but I have nothing but my own anecdotla evidence to prove it.

I don't think you should make this decision based on percieved cost: If I have to create a new account I no longer get my preferred name/username and end up with some weird numeric addition, which itself becomes difficult to remember. Also the percieved cost to anyone of us will probably be lower than the average user.

I really like the iPhone metod of showing me just the last character I typed. It does a fairly good job of giving obsfuscation and information in just the right amounts to people who are probably entering in passwords in public places.

I still use the double-password, I'd prefer to err on the side of limiting user error; it's not as bad as the double email.

I initially thought "if your users are not very savvy, a repeat password field helps them avoid errors". But, on the other hand, users that are not computer-savvy might be horribly confused by the second field. After all, in the real world, there is no such thing as repeat fields.

I think the nicest option, but harder to implement, is to not have a repeat, but include a "do not mask my password" box.

Most people will just fill out the second password field without bothering. If you really want to educate them, make the label clear, add a little explanation or add a “why?” link/popup/...
–
Peter FringsMar 2 '11 at 8:19

I worked on a project where users didn't have to repeat the password. One day we got an angry email from a user who claimed that we displayed his password - in clear text - in the upper right corner.

It turned out that when he signed up he had entered his password, and then without looking up, tabbed on to the next field and repeated his password. Except that field was 'First name'.

He wasn't stupid, nor was he not paying attention. He was displaying something that we designers should strive for: Habituation. It's like a turbo switch in the user's head, except you can't always control things at high speed.

There are at least two broken things here

Having to create an account in the first place (use openid, google, etc)

One problem with this - you say "nor was he not paying attention". Sorry, but you are wrong there - if he typed his password into the first name field, he clearly was not paying attention.
–
Charles BoyungMar 1 '11 at 14:25

Start off hiding the passwword. Give the guy a toggle button that will unhide/rehide the password as he's entered it so far.

An unhide timeout might work: provide a button that will reveal the password for a half-second or so, then re-obscure it.

In both of these, the user enters the password just once. And he sees a message (not necessarily a prompt, but maybe it should be) to reveal and inspect the password before submit. As a backup, there's always (I think) the guy's email for password reset.

It depends on how important the security of the website is, what impression about security you with to give the user and how strict your password requirements are.

For websites that require passwords to contain certain patterns/numbers/letters, then your best to have the user repeat the password, as my experience has been they are authoring a new password. So what they think they typed might not be what they entered.

For websites of leisure, is security really that import? Most likely not, and you might be dealing with the hit and run user sign up. So reducing the effort and time helps to improve your sign up conversion numbers.

For websites offering paid services, then the user has already made/completed the purchase decision. Signing up is just the a process they need to complete to access the service. Double prompting helps build trust that they can access this service they paid for, later. No one wants to reset their password for something they $paid$ for.